Linux Security Mailing List Infiltrated, Crippled by Hackers

The mail server hosting the members-only security mailing list "Vendor-Sec" for open-source vendors has been severely damaged, shutting down the closed list for the time being.

Hackers compromised a private e-mail list used by
distributors of open-source software to discuss security
vulnerabilities and forced the list to shut down.

The "Vendor Sec" security list was used by Linux
and BSD distributors and developers to discuss potential security
vulnerabilities in the kernel, libraries or applications. An unknown
attacker opened up a backdoor to the mail server hosting the list and
was able to sniff all e-mail traffic, wrote Marcus Meissner, the
moderator of the mailing list, in a message to the OSS Security mailing list on March 3. Even though Meissner closed that particular hole, the attacker managed to re-enter and destroy the server a day later. As a result, Meissner decided to not resurrect the server or the mailing list.

"So everyone please consider vendor-sec@....de is
dead and gone at this point, successors (or not) will hopefully result
out of this discussion," he wrote on March 4.

Meissner detected the original breach in late
February, but the timestamp on the logs indicate the break-in may have
occurred on Jan. 20, he wrote in the first note notifying members of
the breach. However, he acknowledged there was a possibility the breach
may have existed before Jan. 20. He also said he didn't know how the
attacker had managed to compromise the machine.

The attacker likely used the security backdoor to
examine e-mail traffic and capture confidential information about
security vulnerabilities found in free and open-source products,
Meissner said. Members use the list to coordinate release schedules for
security updates and patches resolving bugs. Much of the information on
the list was under embargo to give vendors time to close their holes.
This is valuable information for criminals, as the list was a direct
source of exploits for unpatched vulnerabilities in Linux and BSD.

In his March 3 note, Meissner said the system
hosting the mail server was "quite old" and the administrators,
including himself, no longer had the time to keep the machine secure.
He'd disabled the backdoor, but said he expected it to reappear as he
was still unclear as to the actual attack path taken by the attacker.

He suggested moving the list to another server and
proposed using Gnu Privacy Guard, an open-source implementation of the
PGP (Pretty Good Privacy) encryption standard for e-mail so that all
e-mail messages on the list are signed and encrypted.

Until the move, he recommended that embargoed issues not be sent to the list.

The attacker re-entered the server shortly after
Meissner's e-mail and "went amok and destroyed the machine
installation," Meissner wrote in a follow-up note. With the system out
of commission, Meissner decided to not try to repair the machine or
move to the new host. Instead, he suggested the community discuss
whether there should be any changes in how the closed list was set up
and managed.

Meissner also questioned whether there was any
need for this kind of a closed mailing list considering there are other
mailing lists such as OSS Security. He also noted that many projects
are beginning to be more active about doing their own management, so
the usefulness of the list may have "diminished."

There were about 80 to 100 people from both
commercial and non-commercial firms on the mailing list, Meissner said,
"making leaks by members always a possibility." Access to the list was
provided on request.